US authorities just took down 'one of the most powerful DDoS botnets to ever exist’ with help from AWS

Rapper Bot is believed to have been behind more than 370,000 attacks, including one on the X platform

Emma Woollacott's avatar
By
published
in News
DDoS attack concept image showing data terminals distributed in several different global locations, all interlinked with red glowing lights.
(Image credit: Getty Images)

An Oregon man has been arrested and charged amid allegations they coordinated the Rapper Bot botnet, believed to have caused huge outages on X.

Ethan Foltz, 22, has been charged in the District of Alaska with developing and administering the DDoS-for-hire botnet, which has conducted a series of large-scale cyber attacks since at least 2021.

Campaigns in August 2022 and December 2022 focused on brute-forcing devices with weak or default SSH and Telnet credentials to expand the botnet’s footprint for launching DDoS attacks.

The following year, analysis from Fortinet shows it started branching out into cryptojacking, specifically for Intel x64 machines.

At first, the attackers deployed and executed a separate Monero cryptominer alongside the usual Rapper Bot binary, later combining both functionalities into a single bot.

Also known as Eleven Eleven Botnet and CowBot, Rapper Bot mainly targeted devices like digital video recorders or Wi-Fi routers at scale, exploiting them for DDoS attacks in more than 80 countries around the world.

Victims included a US Department of Defense network and several US tech companies - most notably the X social media platform, which was hit in March this year.

Rapper Bot has been on a rampage

According to authorities, Rapper Bot has been responsible for more than 370,000 attacks since April, targeting 18,000 unique victims.

It used between 65,000 and 95,000 infected victim devices to regularly conduct DDoS attacks that amounted to between two to three terabits per second, with the largest attack believed to have topped six terabits per second.

Even the smallest of these could cost the victim up to $10,000, according to the Department of Justice (DOJ).

Foltz allegedly provided paying customers with access to what the DOJ called “one of the most sophisticated and powerful DDoS-for-hire botnets currently in existence”.

Some Rapper Bot customers, including Chinese gambling operations, extorted victims globally.

Earlier this month, law enforcement officials carried out a search warrant on Foltz’ residence in Oregon and shut down Rapper Bot’s attack capabilities, gaining administrative control. There don't appear to have been any attacks since.

“Rapper Bot was one of the most powerful DDoS botnets to ever exist, but the outstanding investigatory work by DCIS cyber agents and support of my office and industry partners has put an end to Foltz’s time as administrator and effectively disrupted the activities of this transnational criminal group,” said US attorney Michael J. Heyman for the District of Alaska.

“Our office remains committed to disrupting and dismantling cyber criminals that threaten internet security and infrastructure in the District of Alaska and across the United States.”

Amazon Web Services (AWS) contributed to the takedown by identifying Rapper Bot’s command and control (C2) infrastructure, and reverse engineering the IoT malware to map its operations and activities.

Foltz is charged with one count of aiding and abetting computer intrusions, for which he could face up to ten years in prison.

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

Emma Woollacott
Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.

Latest
You might also like
View More ▸